SSLv3/TLSv1 Security Exploit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SSLv3/TLSv1 Security Exploit

Greg Wilkins-3
On September 19, 2011 an exploit of a vulnerability in SSL 3.0 and TLS
1.0 (and below) was demonstrated that allows an attacker to decrypt
communications between 2 parties.  The demonstration was against a
PayPal Authentication cookie, which took 10 minutes to decipher with
the aid of a packet sniffer and some hostile javascript running in the
browser.

http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

While TLS 1.1 and 1.2 are not vulnerable, these versions are not yet
commonly available in browsers and JVMs.   Java 6 currently only
supports TLS 1.0, while Java 7 supports TLS 1.1 and 1.2.  It has not
yet been announced if a TLS 1.1 provider will be made available for
Java 6. As of recently, the browser support for TLS can be seen at
http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations.
 Google Chrome has already announced imminent support for 1.2 and it
is expected that the other browsers will follow shortly (see
http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/).

Jetty when used with it's default configuration of SSL will use the
highest common version of TLS available that is shared by the browsers
and JVM.  Thus if jetty is running on java 7 today, it will
automatically use TLS 1.1 or 1.2 if it is available in the browser.
However there is currently no mechanism to disable protocol versions
within Jetty (unless they are disabled in the JVM).

Jetty-7.5.2-SNAPSHOT has now been modified to support lists of
included and excluded protocols in the configuration of the
SslContextFactory class used to configure SSL clients and server
connectors.  This will allow TLS 1.0 to be excluded once clients that
support it are widely deployed. A stable release of 7.5.2 will be
available next week.

We strongly recommend that you  upgrade your systems (browser and
JVMs) to support TLS 1.1 or later.  For Jetty servers, this currently
means running on java 7.  Until TLS 1.1 is widely available in
browsers, it is recommended that you evaluate the risks of continuing
to provide your services over SSL and TLS.

regards

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email